Death of antivirus software greatly exaggerated

John P. Mello Jr. |
Dec. 16, 2014

An executive at a company whose name is synonymous with antivirus software raised eyebrows earlier this year when he pronounced the death of that form of system protection. Nevertheless, while the effectiveness of that software may have waned over the years, security experts say the pronouncement by Symantec's senior vice president for information security Brian Dye was premature.

"White listing is a great solution for controlled environments, like retail POS systems, manufacturing and health systems," Intel's Kenyon said. "You say what applications can run and anything outside that list fails to run so malware never activates."

When whitelisting is brought to the consumer or end-user corporate environment, its maintenance can be burdensome because end-users are constantly adding apps to their devices. "That's why we haven't seen a huge amount of whitelisting in the user environment," Kenyon noted.

"It's been great on servers, great for data centers, great for controlled retail environments, but it's been a challenge on your traditional desktop/laptop," he added.

Banga cited a survey his company conducted in June of 300 information security pros as evidence of dissatisfaction with antivirus. A hefty number of the pros — 85 percent — don't believe that antivirus can stop targeted attacks, like Advanced Persistent Threats and spear phishing, which are a substantial part of the current threat landscape.

Moreover, Banga argued, antivirus is ineffective against polymorphic and Zero Day attacks, also popular among intruders. Both those methods exploit systems before signatures to combat them are immediately available.

"It takes security researchers days to detect new threats and write new signatures, giving a polymorphic attack more than enough time to change its code," Banga said. "When advanced attacks can be executed at a moment's notice, the signatures to detect them are still days away."

Antivirus software's inability to deal with sophisticated threats isn't the only criticism leveled at it in recent times. In July, a researcher at Singapore-based COSEINC maintained many antivirus programs contain vulnerabilities that actually make the systems they're installed on more susceptible to attack.

Researcher Joxean Koret explained that antivirus engines typically run with the highest system privileges possible. Exploiting vulnerabilities in them will provide attackers with root or system access, he continued. Their attack surface is very large, because they must support a long list of file formats. To deal with all those file types, the software uses file format parsers, which typically have bugs.

Nevertheless, Bromium's Banga noted, "AV software may likely continue to serve consumers, who generally have less need for robust protection or the savvy to manage more featured products."

"However," he added, "security-conscious organizations have already started to transition away from AV solutions."

There are those, though, who maintain antivirus isn't as impotent as its critics say it is. Jaeson Schultz, a threat researcher with Cisco System's Security Business Group, asserted that antivirus software has evolved over the past five years to provide greater protection. Not only has antivirus software added more heuristic functionality — which enables it to deal more effectively with non-signature threats — but it blocks an assortment of malware, such as rootkits, remote access trojans (RAT), keyloggers, spyware, adware, and even "potentially unwanted applications." It will even protect users against malware vectors like email, social media and files transmitted via the web.